Global networking of computers has greatly affected business. As the number of computers linked to networks grows, businesses increasingly rely on networks to interact. More and more people use electronic mail, websites, various file transfer methods, and remote office applications, among other types of software, to facilitate business transactions and perform job related tasks. Widespread communication of business information between networks via public networks such as the Internet has raised security concerns about possible interception of sensitive information and/or undetected access to internal networks.
Data communicated within an organizational network has been considered to be more secure than data communicated across a public network, because the organization has control of its own network resources. Computer systems on a local area network can deliver data directly to other devices on the same local area network, because a physical infrastructure is shared and is within the organization's control. Delivery of information outside the organizational network has been considered to be less secure because the organization lacks control of resources through which the information travels.
With the introduction of low-cost wireless networking technologies, companies are now more vulnerable to interception and intrusion than ever before. Wireless networking equipment was initially targeted for consumer and home use and therefore was designed to be inexpensive and easy to use with little emphasis on security. However, wireless technology's rapid spread to the corporate environment has introduced security problems. Wireless technology allows devices to communicate without installing cables between the devices. Adding wireless access points to a wired network enables data to be sent from the wired network to the wireless network, and vice versa, as if the wireless devices were physically connected to the wired network.
Wireless access points allow wireless devices to view network traffic and communicate using network resources without being physically connected to the network. The ease of installation of wireless access points enables cheap installation of access points to corporate networks, with little restriction on who installs such access points. Consequently, wireless devices may gain access to the network without necessarily being within an organization's control or even without the organization's knowledge.
Even organizations that do not use wireless devices are susceptible to unauthorized access from the wireless domain. For example, consider an authorized host (computer system) on the network. The authorized host has a valid network address and is connected to the wired network via a switch. However, if the authorized host also has an integrated but unconfigured wireless device, the unconfigured wireless device can expose the network to unauthorized access. The unconfigured wireless device may, for example, send broadcasts into the wireless space, attempting to connect to either a wireless access point or to another wireless host in “ad-hoc” mode. An attacker can watch for these broadcasts and initiate a connection to the unconfigured wireless device by responding to the broadcasts.
For example, assume that an authorized host has a default wireless configuration to connect to an ad-hoc network called “default.” After observing a request to connect to the ad-hoc network “default,” an attacker can set its own wireless interface card to respond to “default” as well. Once connected to the wireless device on the authorized host, the attacker can initiate a network connection and launch attacks against the authorized host. If the authorized host has enabled a “forwarding” option, thereby providing a routing access point into the wired network, the attacker may also route packets to other hosts on the network via the wireless device of the authorized host.
As another example of vulnerability even though the network does not support wireless access points, only one (perhaps well-meaning) employee can compromise network security. For example, that employee might have a meeting in a location that is not connected to the corporate network. By bringing a personal wireless access point from home, that employee could connect her wireless device to the corporate network inside the building, enabling her to access the corporate network from outside the building. However, that employee may not realize that her wireless device enables other wireless devices to access the network as well. As another example, an employee may wish to use the corporate high-speed Internet connection and install a routing wireless access point that enables her device to connect via the routing wireless access point to share the Internet connection.
In even worse cases, someone with the intent to harm the organization could hide a wireless access point in the building, since some access points are no larger than a paperback novel. Therefore, corporate networks can become compromised from inside the building by misguided employees installing unauthorized access points, malicious hackers hundreds of yards (up to several miles) away, or ordinary people using the company's resources for free Internet access.
Outsiders connecting to the network via a wireless access point cannot be detected or identified easily from within the wired network. However, it is useful to determine whether a given communication originated with, or is targeted to, a wireless device, especially if wireless devices are not authorized to access the network. It is also helpful to be able to distinguish whether a given device is wireless, because an organization may wish to limit or prevent network access by wireless devices. For example, an administrator may wish to restrict wireless devices to access only a particular subnet.
Wireless scanning is one technique that is commonly used to detect wireless devices connected to the wired network and/or rogue wireless access points into the network. Wireless scanning uses a wireless radio, which scans the airwaves for wireless devices and determines whether those wireless devices are connected to the wired network. An example of one product suite that performs wireless scanning is the AirDefense Enterprise suite provided by AirDefense of Alpharetta, Ga.
While wireless scanning is useful in some situations, wireless radios have a limited range of airwaves that can be scanned and cannot detect remote devices outside that limited range. Because devices using a wireless access point can be remote from the network, those remote devices may not be detectable. In addition, wireless radios are sensitive to obstacles and other types of interference with radio waves and may be unable to detect unauthorized access due to interference.
Simple Network Management Protocol (SNMP) scanning is another technique that can be used to detect wireless devices and/or rogue wireless access points into the network. SNMP uses inter-network addresses, such as, but not limited to, Internet Protocol (IP) addresses. With SNMP scanning, queries are sent to the entire network address space in search of SNMP-enabled access points. When a response is received, a determination can be made whether the SNMP-enabled access point is authorized. An example of a product that performs SNMP scanning is WiSentry provided by WiMetrics Corporation of Bellevue, Wash.
While not subject to the same physical limitations as products that use wireless radios, SNMP scanning only detects access points that respond to SNMP queries. Rogue wireless access points, especially wireless bridges, are most often installed without a valid inter-network address (e.g., IP address) because no routing is required to communicate via the wireless bridge. Therefore, most rogue wireless bridges cannot be discovered using SNMP scanning.
Some passive techniques for determining whether a device is wireless take advantage of the fact that wireless networking technologies are typically slower than their wired counterparts (FastEthernet and newer). One such method monitors the response times of specific types of messages. When a device is discovered communicating significantly below the normal response time, a wireless connection may be the cause of the slower connection. However, such a determination is not certain, as other factors such as slower computer systems and slower wireless cards can produce the same effect. Furthermore, as wireless technologies improve, the performance gap between wired and wireless networks is decreasing.
A solution is needed to determine whether a device is wireless. Preferably, the solution should enable determination of whether a device is wireless even though the device is physically remote from the network. Furthermore, the solution should not require communication with the device via a particular protocol or a specific type of addressing scheme.